ADC Submitted Access Control Bypass Vulnerability to Oracle; Critical Patch Update Released Tuesday

WHO:

Imperva Application Defense Center (ADC), Imperva’s independent research organization.

WHAT:

Discovered an access control bypass vulnerability that affects all Oracle versions up to 10gR2.  This vulnerability can be exploited to extract information from any table in a database server by unauthorized users. The vulnerability is in the Direct Path Export functionality. Oracle issued a Critical Patch Update yesterday that addresses this vulnerability and others.

Imperva SecureSphere Database Security Gateway appliances can protect Oracle products against this flaw until it is patched. For more details on this vulnerability see the Imperva Security Advisory at the link below.

WHERE:

• Oracle Critical Patch Update
• Imperva Security Advisory

WHEN:

Imperva today made available a Security Advisory on this vulnerability.  Oracle released the Critical Patch Update on April 15th, 2008.

HOW:

ADC conducts ongoing research into database security issues, and discovered this vulnerability during an in-depth analysis of the Oracle Database platform. ADC’s research findings are used to enhance the SecureSphere product line with next generation attack detection and protection features.

About the Imperva Application Defense Center

Imperva’s independent research organization, the Application Defense Center (ADC), is internationally recognized for security analysis, vulnerability discovery, and compliance expertise. ADC research combines extensive lab work with hands-on testing in real world environments to ensure that Imperva’s products have the most advanced technology, up-to-date threat protection, and unparalleled compliance automation. The ADC has discovered over 60 commercial application vulnerabilities and having issued numerous security advisories, the ADC offers exceptional insight into both published and unpublished security threats.

About Imperva

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

# # #

Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.

Editorial Contact

Marc Gendron
(781) 237-0341
marc@mqpr.net